Password Best Practices

Introduction

The UMKC Information Services Password Policy is the
foundation of security for UMKC's SSO (Single Sign On) account. The SSO account
gives the user access to all the resources available on the UMKCnet. The
privileges and permissions granted by this account are unique to each user. The
protection of this account is the responsibility of the user. The most
important password policy is: Do not give your password to anyone.

Other phases of the Password Policy are covered in the
following sections of this document.

Complexity

Password complexity will be controlled at the Domain Policy
level through the use of Group Policy Objects. Complex passwords provide a
basic and important component of overall information security. The "strong"
password will include the following guidelines:

Avoid using words from a dictionary, common or clever misspellings of words,
and foreign words.

Avoid using incrementing passwords with a digit.

Avoid preceding or appending passwords with a number.

Avoid using passwords that others can easily guess by looking at your desk
(such as names of pets, sports teams, and family members).

Avoid using words from popular culture.

Avoid thinking of passwords as words per se; think secret codes.

Enforce using passwords that require you to type with both hands on the
keyboard.

Enforce using uppercase and lowercase letters, numbers, and symbols in all
passwords.

Enforce using space characters and characters that can be produced only by
pressing the Alt key.

Password History

The practice of enforcing
password history ensures that passwords are not reused in a short period of time
or that a short, cyclic list of passwords is not used. Reusing passwords allows
the user, in essence, to never change their password. Thus, this practice helps
maintain the effectiveness of password security of the SSO account.